The custom emoji’s was a developed feature of Lemmy pushed out in their UI code. Even the project mainters instance was affected. Its why 0.18.2 was released.
Thats not on server/infra operators. It was a vuln in the core UI code. Some operators DID patch it themselves (i think Beehaw is one), others were less affected (ie: My instance is closed and i dont use custom emjis anyhow), but those are features introduced by the maintainers and some of the bigger instances would get requests for them anyhow. So it was a problem.